The commission shall: (1) identify and inform the governor of: (a) cyber threats and vulnerabilities towards Utah's critical infrastructure; (b) cybersecurity assets and resources; and (c) an analysis of: (i) current cyber incident response capabilities; (ii) potential cyber threats; and (iii) areas of significant concern with respect to: (A) vulnerability to cyber attack; or (B) seriousness of consequences in the event of a cyber attack; (2) provide resources with respect to cyber attacks in both the public and private sector, including: (a) best practices; (b) education; and (c) mitigation; (3) promote cyber security awareness; (4) share information; (5) promote best practices to prevent and mitigate cyber attacks; (6) enhance cyber capabilities and response for all Utahns; (7) provide consistent outreach and collaboration with private and public sector organizations; (8) share cyber threat intelligence to operators and overseers of Utah's critical infrastructure; and (9) in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, make rules establishing minimum cybersecurity standards for a local education agency, as that term is defined in Section 53G-3-402, that: (a) align with industry recognized cybersecurity frameworks and standards, including frameworks developed by the National Institute of Standards and Technology, the Center for Internet Security, or a successor organization; (b) take into account varying local education agency resources, capacity, and needs; (c) establish phased implementation timelines based on local education agency size, existing cybersecurity infrastructure, and available resources; and (d) as appropriate based on the local education agency's size, risk profile, and available resources, shall address: (i) identity and access management; (ii) asset management and inventory of hardware, software, and data systems; (iii) data protection; (iv) security monitoring and logging capabilities; (v) vulnerability management, including regular security assessments and patching procedures; (vi) incident response and recovery planning; (vii) security awareness training requirements for staff and administrators; (viii) third-party risk management for vendors with access to local education agency systems or data; (ix) network security controls; (x) backup and disaster recovery procedures; and (xi) governance structures for cybersecurity oversight within a local education agency.
‹ Prev All Utah sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.